Verify error:Cannot negotiate ALPN protocol

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: --renew -d

It produced this output: Verify error:Cannot negotiate ALPN protocol

My web server is (include version): nginx v2.8.8

The operating system my web server runs on is (include version): FreeBSD 11.2-RELEASE-p15, FreeNAS 11.3-U4

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): v2.8.8

--alpn needs to exclusively bind to port 443 on your server. This means you would need to stop nginx before renewing the certificate1.

I'm not sure whether you've got setup to do that, but the error message suggests that nginx is still running at the time of renewal.

1. Unless you're doing something like this.

1 Like

I see that you are trying to renew this domain.
Doesn't that mean that you initially issued it using and TLS-ALPN?
If so, you should already be aware of the intricacies involved.
If not, then there may be a problem with's recollection of that issuance.

Thank you so much for your swift reply!
Just simply shutting down nginx did the trick.

I have been trying to trouble shoot this for about a month. I've read multiple solutions, also here, but I couldn't find a proper answer.

Is there a standard method for stopping the nginx service before is kicked off, or should I just create my own cron script for this?

1 Like

Thank you for your reply, the problem was I didn't stop nginx before kicking off
Issuing the first certificate wasn't a problem. I didn't need a secure connection for this.
After the certificate was in place, I opened up port 443.

I just wasn't able to trouble shoot this from the

But still thank you for your time to help me!

1 Like

You could use --pre-hook and --post-hook parameters to stop and then start nginx.

More info here:

Just reading on your suggestion, it states the hooks are only accepted on issuing a new certificate.
It's not clear (At least to me) if this will also work when renewing the certificate.

Can I just call these hooks in this sitruation?

That is correct but you can use --issue parameter to "renew" your existing cert and you can also modify the conf manually not needed to execute the --issue command again.

Here the doc (pay attention to bold):

Those hooks are only accepted by the --issue command, but will be saved and apply to --renew or --cron commands as well.

I found the in ~/
In this conf file I have Le_PreHook='' entry.

I suppose the value of the Le_PreHook should be something like 'service nginx stop' ?

Sorry, I forgot to show you how to do that.

Yes and no :wink: encode the command in base64 and use delimiters.

In this example we will use systemctl stop nginx on pre-hook, and systemctl start nginx on post-hook. The domain is and the cert home is ~/

Just edit file ~/ and replace Le_PreHook='' with the ouput of below command:

echo "Le_PreHook='__ACME_BASE64__START_$(printf '%s' 'systemctl stop nginx' | openssl base64 -e)__ACME_BASE64__END_'"

and Le_PostHook='' with the output of below command:

echo "Le_PostHook='__ACME_BASE64__START_$(printf '%s' 'systemctl start nginx' | openssl base64 -e)__ACME_BASE64__END_'"

Thanks sahsanu!

systemctl is not implemented on FreeBSD, but it is clear to me what to do.

Thank you for your time. :clap: :clap:


Yeah, it was just an example, use the command or commands you need :wink:

You are welcome.

1 Like